Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
732
Views
0
Helpful
3
Replies

PIX VS ASA

Go to solution
avilt
Level 3
Level 3

‎11-11-2013 04:31 AM - edited ‎03-11-2019 08:03 PM

I have worked on Cisco PIX in the past and now I need to work on ASA. As far as I remember the PIX explicitly required NAT, Access rules & routes.

Is it the same for ASA when it comes to NAT? Does it require explicit NAT (nat ot no nat)?

I have worked on Cisco PIX in the past and now I need to work in ASA. As far as I remember the PIX explicitly required NAT, Access rules & routes.

Is it the same for ASA when it comes to NAT? Does it require explicit NAT (nat ot no nat)?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-11-2013 06:03 AM

Hi,

With the ASA it depends very much your software.

If you used 7.0 (or newer) software on the PIX firewalls then most of the ASA configuration format is either the same or you can easily determine the correct format if there has been some minor change.

If you are using 8.2 (or older) software version on the ASA then you will probably have to configure NAT between your local interfaces in one form or another for the traffic to flow normally.

If you are using 8.3 (or newer) software then you will be using a completely new NAT format that doesnt resemble the PIX or older ASA versions NAT configuration at all. Though with the new software you generally dont need any NAT configurations between your local interfaces (LAN/DMZ) unless you specifically want to NAT some address or subnet to another address/subnet.

Naturally also if you have a Dynamic PAT/NAT configurations towards the external network and configure L2L VPN then you naturally have to configure NAT0 for the L2L VPN purpose as otherwise Dynamic PAT would still apply to the traffic that is supposed to match the L2L VPN rules.

I guess in some older PIX firewalls you might have used NAT configurations to perform sort of access control on the firewall. That is not the case anymore and is not suggested by Cisco either.

You might have used a configuration called "nat-control" in the PIX firewalls. In the software levels 8.3 (and above) it doesnt exists anymore.

Hope this helps

Feel free to ask more if needed.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-11-2013 06:03 AM

Hi,

With the ASA it depends very much your software.

If you used 7.0 (or newer) software on the PIX firewalls then most of the ASA configuration format is either the same or you can easily determine the correct format if there has been some minor change.

If you are using 8.2 (or older) software version on the ASA then you will probably have to configure NAT between your local interfaces in one form or another for the traffic to flow normally.

If you are using 8.3 (or newer) software then you will be using a completely new NAT format that doesnt resemble the PIX or older ASA versions NAT configuration at all. Though with the new software you generally dont need any NAT configurations between your local interfaces (LAN/DMZ) unless you specifically want to NAT some address or subnet to another address/subnet.

Naturally also if you have a Dynamic PAT/NAT configurations towards the external network and configure L2L VPN then you naturally have to configure NAT0 for the L2L VPN purpose as otherwise Dynamic PAT would still apply to the traffic that is supposed to match the L2L VPN rules.

I guess in some older PIX firewalls you might have used NAT configurations to perform sort of access control on the firewall. That is not the case anymore and is not suggested by Cisco either.

You might have used a configuration called "nat-control" in the PIX firewalls. In the software levels 8.3 (and above) it doesnt exists anymore.

Hope this helps

Feel free to ask more if needed.

- Jouni

0 Helpful

Go to solution
avilt
Level 3
Level 3
In response to Jouni Forss

‎11-11-2013 06:33 AM

I am acquiring the latest ASA model with latest image, so explicit NAT is no longer needed then except for VPN.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to avilt

‎11-11-2013 06:38 AM

Hi,

For a firewall on the edge of LAN and WAN you will naturally need the basic Dynamic NAT or Dynamic PAT. If you are adding a VPN Client or L2L VPN connection then you will need a NAT0 / NAT Exempt configuration for that. No NAT configurations are needed between your local LAN/DMZ interfaces if you dont wish to NAT.

If your firewall is purely for VPN purposes where there is no need for NAT you can essentially leave the NAT configuration blank.

If your firewall is located in the internal network between different network segments you wont need NAT either unless ofcourse you want to map/NAT addresses/subnets.

If you need any help with NAT configurations you can always ask here on the forums

Here is a document I wrote about the new NAT configuration format. It has some example configurations also

https://supportforums.cisco.com/docs/DOC-31116

Here is also a great document that might serve better for those that want to see the old and new NAT configuration format compared so you can easily convert the configurations

https://supportforums.cisco.com/docs/DOC-9129

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card